Skip to content

Commit

Permalink
Merge branch 'Dev' into TeamsGroupPolicyAssignment
Browse files Browse the repository at this point in the history
  • Loading branch information
sandrola committed Oct 17, 2024
2 parents 12c78a2 + d32e11b commit 86027e6
Show file tree
Hide file tree
Showing 50 changed files with 9,859 additions and 99 deletions.
21 changes: 19 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

# UNRELEASED

* IntuneDerivedCredential
* Initial release.
* AADAdminConsentRequestPolicy
* Initial release.
* AADApplication
* Fixed an issue trying to retrieve the beta instance.
* Added support for OnPremisesPublishing.
* Added support for ApplicationTemplate.
* Fixes an issue where trying to apply permissions complained about
duplicate entries.
* AADAuthenticationRequirement
* Initial release.
* AADConnectorGroupApplicationProxy
Expand All @@ -24,6 +24,8 @@
* Initial release.
* AADLifecycleWorkflowSettings
* Initial release.
* AADServicePrincipal
* Adding Delegated Permission Classification Property
* ADOPermissionGroupSettings
* Initial release.
* EXOATPBuiltInProtectionRule
Expand All @@ -38,18 +40,33 @@
* IntuneAppAndBrowserIsolationPolicyWindows10
* Initial release.
FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028)
* IntuneDerivedCredential
* Initial release.
* IntuneDeviceConfigurationIdentityProtectionPolicyWindows10
* Added deprecation notice.
* IntuneEndpointDetectionAndResponsePolicyWindows10
* Migrate to new Settings Catalog cmdlets.
* IntuneMobileAppsMacOSLobApp
* Initial release
* IntuneMobileAppsWindowsOfficeSuiteApp
* Initial release
* IntuneSecurityBaselineMicrosoft365AppsForEnterprise
* Initial release
* IntuneSecurityBaselineMicrosoftEdge
* Initial release
* PPAdminDLPPolicy
* Initial release.
* PPDLPPolicyConnectorConfigurations
* Initial release.
* PPPowerAppPolicyUrlPatterns
* Initial release.
* TeamsClientConfiguration
* Fixed bug where RestrictedSenderList was always empty in the MSFT_TeamsClientConfiguration resource
FIXES [#5190](https://github.com/microsoft/Microsoft365DSC/issues/5190)
* Changed Set-TargetResource to always use semicolon as separator as mentioned in the MS documentation
* TeamsUpgradePolicy
* Added support for tenant wide changes using the * value for users.
FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174)
* TeamsGroupPolicyAssignments
* FIXES [#5179](https://github.com/microsoft/Microsoft365DSC/issues/5179)
* M365DSCDRGUtil
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -971,7 +971,7 @@ function Set-TargetResource
if ($needToUpdatePermissions -and -not [System.String]::IsNullOrEmpty($Permissions) -and $Permissions.Length -gt 0)
{
Write-Verbose -Message "Will update permissions for Azure AD Application {$($currentAADApp.DisplayName)}"
$allSourceAPIs = $Permissions.SourceAPI | Get-Unique
$allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
$allRequiredAccess = @()

foreach ($sourceAPI in $allSourceAPIs)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ function Get-TargetResource
[System.Boolean]
$AppRoleAssignmentRequired,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DelegatedPermissionClassifications,

[Parameter()]
[System.String]
$ErrorUrl,
Expand Down Expand Up @@ -212,32 +216,43 @@ function Get-TargetResource
}
}

[Array]$complexDelegatedPermissionClassifications = @()
$permissionClassifications = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$AppId')/delegatedPermissionClassifications" -Method Get
foreach ($permissionClassification in $permissionClassifications.Value){
$hashtable = @{
classification = $permissionClassification.Classification
permissionName = $permissionClassification.permissionName
}
$complexDelegatedPermissionClassifications += $hashtable
}

$result = @{
AppId = $AADServicePrincipal.AppId
AppRoleAssignedTo = $AppRoleAssignedToValues
ObjectID = $AADServicePrincipal.Id
DisplayName = $AADServicePrincipal.DisplayName
AlternativeNames = $AADServicePrincipal.AlternativeNames
AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled
AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired
ErrorUrl = $AADServicePrincipal.ErrorUrl
Homepage = $AADServicePrincipal.Homepage
LogoutUrl = $AADServicePrincipal.LogoutUrl
Owners = $ownersValues
PublisherName = $AADServicePrincipal.PublisherName
ReplyURLs = $AADServicePrincipal.ReplyURLs
SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL
ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames
ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType
Tags = $AADServicePrincipal.Tags
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
ApplicationSecret = $ApplicationSecret
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
AppId = $AADServicePrincipal.AppId
AppRoleAssignedTo = $AppRoleAssignedToValues
ObjectID = $AADServicePrincipal.Id
DisplayName = $AADServicePrincipal.DisplayName
AlternativeNames = $AADServicePrincipal.AlternativeNames
AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled
AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired
DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications
ErrorUrl = $AADServicePrincipal.ErrorUrl
Homepage = $AADServicePrincipal.Homepage
LogoutUrl = $AADServicePrincipal.LogoutUrl
Owners = $ownersValues
PublisherName = $AADServicePrincipal.PublisherName
ReplyURLs = $AADServicePrincipal.ReplyURLs
SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL
ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames
ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType
Tags = $AADServicePrincipal.Tags
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
ApplicationSecret = $ApplicationSecret
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)"
return $result
Expand Down Expand Up @@ -289,6 +304,10 @@ function Set-TargetResource
[System.Boolean]
$AppRoleAssignmentRequired,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DelegatedPermissionClassifications,

[Parameter()]
[System.String]
$ErrorUrl,
Expand Down Expand Up @@ -398,6 +417,8 @@ function Set-TargetResource
{
$currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue
}
# removing Delegated permission classifications from this new call, as adding below separately
$currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
$ObjectGuid = [System.Guid]::empty
if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid))
{
Expand All @@ -419,6 +440,17 @@ function Set-TargetResource
Write-Verbose -Message "Adding new owner {$owner}"
$newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body
}

#adding delegated permissions classifications
if($null -ne $DelegatedPermissionClassifications){
foreach ($permissionClassification in $DelegatedPermissionClassifications){
$params = @{
classification = $permissionClassification.Classification
permissionName = $permissionClassification.permissionName
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params
}
}
}
# ServicePrincipal should exist and will be configured to desired state
elseif ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present')
Expand All @@ -434,6 +466,7 @@ function Set-TargetResource
Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)"
$currentParameters.Remove('AppRoleAssignedTo') | Out-Null
$currentParameters.Remove('Owners') | Out-Null
$currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters

if ($AppRoleAssignedTo)
Expand Down Expand Up @@ -546,6 +579,26 @@ function Set-TargetResource
-DirectoryObjectId $userInfo.Id | Out-Null
}
}

Write-Verbose -Message "Checking if DelegatedPermissionClassifications need to be updated..."

if ($null -ne $DelegatedPermissionClassifications)
{
# removing old perm classifications
$permissionClassificationList = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Get
foreach($permissionClassification in $permissionClassificationList.Value){
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications/$($permissionClassification.Id)" -Method Delete
}

# adding new perm classifications
foreach ($permissionClassification in $DelegatedPermissionClassifications){
$params = @{
classification = $permissionClassification.Classification
permissionName = $permissionClassification.permissionName
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params
}
}
}
# ServicePrincipal exists but should not
elseif ($Ensure -eq 'Absent' -and $currentAADServicePrincipal.Ensure -eq 'Present')
Expand Down Expand Up @@ -589,6 +642,10 @@ function Test-TargetResource
[System.Boolean]
$AppRoleAssignmentRequired,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DelegatedPermissionClassifications,

[Parameter()]
[System.String]
$ErrorUrl,
Expand Down Expand Up @@ -677,21 +734,48 @@ function Test-TargetResource

Write-Verbose -Message 'Testing configuration of Azure AD ServicePrincipal'

$testTargetResource = $true
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()

#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)

if (-not $testResult)
{
$testTargetResource = $false
}
else {
$ValuesToCheck.Remove($key) | Out-Null
}
}
}

Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

$ValuesToCheck = $PSBoundParameters

$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys `
-IncludedDrifts $driftedParams

if(-not $TestResult)
{
$testTargetResource = $false
}

Write-Verbose -Message "Test-TargetResource returned $TestResult"
Write-Verbose -Message "Test-TargetResource returned $testTargetResource"

return $TestResult
return $testTargetResource
}

function Export-TargetResource
Expand Down Expand Up @@ -785,6 +869,10 @@ function Export-TargetResource
{
$Results.AppRoleAssignedTo = Get-M365DSCAzureADServicePrincipalAssignmentAsString -Assignments $Results.AppRoleAssignedTo
}
if ($Results.DelegatedPermissionClassifications.Count -gt 0)
{
$Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
Expand All @@ -795,6 +883,11 @@ function Export-TargetResource
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'AppRoleAssignedTo'
}
if ($null -ne $Results.DelegatedPermissionClassifications)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'DelegatedPermissionClassifications'
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Expand Down Expand Up @@ -841,4 +934,26 @@ function Get-M365DSCAzureADServicePrincipalAssignmentAsString
return $StringContent
}

function Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications
{
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$PermissionClassifications
)

$StringContent = "@(`r`n"
foreach ($permissionClassification in $PermissionClassifications)
{
$StringContent += " MSFT_AADServicePrincipalDelegatedPermissionClassification {`r`n"
$StringContent += " Classification = '" + $PermissionClassification.Classification + "'`r`n"
$StringContent += " PermissionName = '" + $PermissionClassification.PermissionName + "'`r`n"
$StringContent += " }`r`n"
}
$StringContent += ' )'
return $StringContent
}

Export-ModuleMember -Function *-TargetResource
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ class MSFT_AADServicePrincipalRoleAssignment
[Write, Description("Unique identity representing the principal.")] String Identity;
};

[ClassVersion("1.0.0")]
class MSFT_AADServicePrincipalDelegatedPermissionClassification
{
[Write, Description("Classification of the delegated permission"), ValueMap{"low", "medium", "high"}, Values{"low", "medium", "high"}] String Classification;
[Write, Description("Name of the permission")] String PermissionName;
};

[ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")]
class MSFT_AADServicePrincipal : OMI_BaseResource
{
Expand All @@ -25,6 +32,8 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
[Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[];
[Write, Description("The type of the service principal.")] String ServicePrincipalType;
[Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[];
[Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[];

[Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -682,7 +682,7 @@ function Export-TargetResource
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.DeviceSettings `
-CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings'
-CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10'
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.DeviceSettings = $complexTypeStringResult
Expand All @@ -696,7 +696,7 @@ function Export-TargetResource
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.UserSettings `
-CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings'
-CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10'
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.UserSettings = $complexTypeStringResult
Expand Down
Loading

0 comments on commit 86027e6

Please sign in to comment.